Data mining your children

Students are tracked as they play games, watch videos, read books and take quizzes. | Getty

Unless your product is good enough to sell, “there’s this huge temptation to just make money by selling or exploiting data,” said Matthew Rubinstein, the founder and CEO of LiveSchool, which markets software that helps schools track student behavior.

Children’s personal information “is splintering across the Internet,” said Cameron Evans, Microsoft’s chief technology officer. “Anonymity is going to be more valuable than gold in the near future.”

Text Size

-

+

reset

STUDENT RECORDS AT RISK

Ed-tech companies divide into two main camps. Some serve as digital file cabinets for pre-existing student records; they’re basically organizational tools. Others deliver lessons and quizzes online and collect fresh data directly from students as they work.

The POLITICO examination found that both can carry privacy risks.

Take LearnBoost, a startup backed by prominent venture capital firms. It’s marketed as a “free and amazing” tool that lets teachers upload their notes on student attendance, test scores, behavior and more to a digital grade book. Any teacher can sign up, even if her district doesn’t participate.

A key element of the pitch: LearnBoost makes it easy for teachers to email the grade book to parents, students and others “as they see fit.”

LearnBoost does note in passing that confidential student data should be shared “very carefully.” But it offers no guidelines. And privacy advocates find it alarming that a for-profit startup is holding student records and making it easy for teachers to send them zipping around the Internet without supervision from the district.

The company did not return emails seeking comment.

Other sites receive huge amounts of student information directly from schools or districts. The data management site LearnSprout, for instance, stores information such as attendance records, which can be granular to the point of noting head lice, a cold, a doctor’s appointment or bereavement — to name just a few of the categories. Interactive Health Technologies stores multi-year fitness records on students, based on data from heart monitors they wear in P.E., and integrates them with “unlimited data points” from the classroom, including behavioral and nutrition records.

Knowing so much personal data is in a private company’s hands worries some parents, especially in the wake of the cyberattack that stole credit card numbers from tens of millions of Target customers last winter.

K-12 districts and contractors haven’t reported any major data breaches, but it’s been a recurring problem for colleges. In one of the worst incidents, hackers attacked the University of Maryland in February and scooped up records — including social security numbers — for nearly 300,000 students, faculty and staff.

Other companies hold more even more intimate, and potentially more valuable, information on children.

Consider the popular nonprofit tutorial service Khan Academy. It’s free. But users do pay a price: In effect, they trade their data for the tutoring.

The site tracks the academic progress of students 13 and older as they work through online lessons in math, science and other subjects. It also logs their location when they sign in and monitors their Web browsing habits. And it reserves the right to seek out personal details about users from other sources, as well, potentially building rich profiles of their interests and connections.

After POLITICO inquired about Khan Academy’s privacy policy, which gave it the right to draw on students’ personal information to send them customized advertising, the policy was completely rewritten. The new text, posted online late last week, emphasizes Khan Academy’s commitment to protecting privacy and deletes the line about targeted advertising.

But the revised policy makes clear that Khan Academy still allows third parties, such as YouTube and Google, to place the tiny text files known as “cookies” on students’ computers to collect and store information about their Web usage. Khan Academy also states that it may share personal information with app developers and other external partners, with students’ consent.

A spokeswoman for the site said Khan Academy’s main goal in collecting data is to “help students learn effectively and efficiently.”

MURKY PRIVACY POLICIES — OR NONE AT ALL

Parents and teachers typically turn to companies’ privacy policies to try to figure out what student data is being collected and how it could be used. Clarity is a rarity.

Even companies that assert they do not sell personal information typically reserve the right to change that policy at any time. Most won’t notify users in the event of such a change. Instead, they recommend reading the online privacy policy regularly to see if it’s been updated.

Most policies also indicate that student information will trade hands, and may be subject to an entirely new privacy policy, if the company is sold — a common fate for a start-up.

Then there’s the legal jargon and fuzzy terminology to unravel.

Moodle, which many schools use as a forum for students to post work and communicate with teachers, states that it won’t share users’ personal information — “but it may be accessible to those volunteers and staff who administer the site and infrastructure.” Who are those volunteers? Are they trained to protect user privacy? The site lists an email address for users to get more information, but questions sent to that address bounced back.

Google’s privacy policy is considerably more detailed, but until recently, it did not make clear that the company scanned all emails sent through its Google Apps for Education platform, which is used by millions of students and teachers. The automated scan picked out key words that might suggest a user was, say, planning a camping trip. Google could then use that information to target ads to that individual. It did not routinely send ads to students, but it did direct them to alumni who used the Google Apps for Education platform.

After angry students filed a lawsuit, Google updated its terms of service to acknowledge the email scanning — and then announced late last month that it would stop the practice altogether for customers using Apps for Education.

Other companies don’t make any privacy policy at all available for parents to review, POLITICO has found.

The data storage and analytics firm eScholar, which sells software to help districts manage records on 20 million students — and stores some of that data on its servers — does not have a posted privacy policy. Spokeswoman Ann Tarasena said the company is working on it. In the meantime, eScholar writes privacy protections into its contracts with districts. It wouldn’t release the contracts — citing privacy concerns.

On Thursday, responding to questions raised by this article, the company posted online a statement of its general privacy principles, including a pledge not to sell student data.

Then there’s Panorama Education, a data analytics platform used by thousands of schools and backed by investors including Facebook’s Mark Zuckerberg and actor Ashton Kutcher.

CEO Aaron Feuer said the company abides by each district’s privacy rules, but it does not have a blanket policy to share with the public.

The lack of consistent standards troubles Sen. Markey, who has become a leading voice on consumer privacy in Congress.

“The goal here should be to help scholars make the grade,” Markey said, “not help companies make a sale.”

DATA DEMANDS ESCALATE

In recent months, more than 30 public school districts from Bainbridge Island, Washington, to Broward County, Florida, have signed partnerships with a nonprofit called Code.org. The organization gives schools free curricular materials and teacher training to set up computer science classes.

All it asks for in exchange: Data. Lots and lots of data.

Code.org requires that its partner schools turn over up to a dozen years of academic records, including test scores, on every participating student, according to a model contract reviewed by POLITICO.